arunelias · February 22, 2025 17:27
diff --git a/ZAP_HTTPSender.js b/ZAP_HTTPSender.js
 // The sendingRequest and responseReceived functions will be called for all requests/responses sent/received by ZAP, 
 // including automated tools (e.g. active scanner, fuzzer, ...)

 // Note that new HttpSender scripts will initially be disabled
 // Right click the script in the Scripts tree and select "enable"  

 // 'initiator' is the component the initiated the request:
 // 		1	PROXY_INITIATOR
 // 		2	ACTIVE_SCANNER_INITIATOR
 // 		3	SPIDER_INITIATOR
 // 		4	FUZZER_INITIATOR
 // 		5	AUTHENTICATION_INITIATOR
 // 		6	MANUAL_REQUEST_INITIATOR
 // 		7	CHECK_FOR_UPDATES_INITIATOR
 // 		8	BEAN_SHELL_INITIATOR
 // 		9	ACCESS_CONTROL_SCANNER_INITIATOR
 // 		10	AJAX_SPIDER_INITIATOR
 // For the latest list of values see the HttpSender class:
 // https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/parosproxy/paros/network/HttpSender.java
 // 'helper' just has one method at the moment: helper.getHttpSender() which returns the HttpSender 
 // instance used to send the request.
 //
 // New requests can be made like this:
 // msg2 = msg.cloneAll() // msg2 can then be safely changed as required without affecting msg
 // helper.getHttpSender().sendAndReceive(msg2, false);
 // print('msg2 response=' + msg2.getResponseHeader().getStatusCode())
 var HttpSender = Java.type("org.parosproxy.paros.network.HttpSender");
 var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars");
 var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter");
 var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie;

 function sendingRequest(msg, initiator, helper) {
    // add Session Cookie to all requests in scope except the authorization request itself
    var key = ScriptVars.getGlobalVar("session.key");
    var secret = ScriptVars.getGlobalVar("session.secret");
    var requestURI = msg.getRequestHeader().getURI().toString();
    if (initiator !== HttpSender.AUTHENTICATION_INITIATOR && msg.isInScope() && key && secret) {
        var cookies = msg
            .getRequestHeader()
            .getCookieParams();
        var cookieParam = new HtmlParameter(COOKIE_TYPE, key, secret);
        if (!cookies.isEmpty()) {
            var existing = cookies.first();
            cookies.remove(existing);
        }
        // Add cookies to request if the path is not related to Login/ Logout
        if (requestURI && requestURI.indexOf("/accounts/") !== -1) {
            return true;
        } else {
            cookies.add(cookieParam);
            msg.getRequestHeader().setCookieParams(cookies);
            return true;
        }
    }
 }

 function responseReceived(msg, initiator, helper) {
    // Currently no implementation for responseReceived
 }
	// The sendingRequest and responseReceived functions will be called for all requests/responses sent/received by ZAP,
	// including automated tools (e.g. active scanner, fuzzer, ...)

	// Note that new HttpSender scripts will initially be disabled
	// Right click the script in the Scripts tree and select "enable"

	// 'initiator' is the component the initiated the request:
	// 1 PROXY_INITIATOR
	// 2 ACTIVE_SCANNER_INITIATOR
	// 3 SPIDER_INITIATOR
	// 4 FUZZER_INITIATOR
	// 5 AUTHENTICATION_INITIATOR
	// 6 MANUAL_REQUEST_INITIATOR
	// 7 CHECK_FOR_UPDATES_INITIATOR
	// 8 BEAN_SHELL_INITIATOR
	// 9 ACCESS_CONTROL_SCANNER_INITIATOR
	// 10 AJAX_SPIDER_INITIATOR
	// For the latest list of values see the HttpSender class:
	// https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/parosproxy/paros/network/HttpSender.java
	// 'helper' just has one method at the moment: helper.getHttpSender() which returns the HttpSender
	// instance used to send the request.
	//
	// New requests can be made like this:
	// msg2 = msg.cloneAll() // msg2 can then be safely changed as required without affecting msg
	// helper.getHttpSender().sendAndReceive(msg2, false);
	// print('msg2 response=' + msg2.getResponseHeader().getStatusCode())
	var HttpSender = Java.type("org.parosproxy.paros.network.HttpSender");
	var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars");
	var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter");
	var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie;

	function sendingRequest(msg, initiator, helper) {
	// add Session Cookie to all requests in scope except the authorization request itself
	var key = ScriptVars.getGlobalVar("session.key");
	var secret = ScriptVars.getGlobalVar("session.secret");
	var requestURI = msg.getRequestHeader().getURI().toString();
	if (initiator !== HttpSender.AUTHENTICATION_INITIATOR && msg.isInScope() && key && secret) {
	var cookies = msg
	.getRequestHeader()
	.getCookieParams();
	var cookieParam = new HtmlParameter(COOKIE_TYPE, key, secret);
	if (!cookies.isEmpty()) {
	var existing = cookies.first();
	cookies.remove(existing);
	}
	// Add cookies to request if the path is not related to Login/ Logout
	if (requestURI && requestURI.indexOf("/accounts/") !== -1) {
	return true;
	} else {
	cookies.add(cookieParam);
	msg.getRequestHeader().setCookieParams(cookies);
	return true;
	}
	}
	}

	function responseReceived(msg, initiator, helper) {
	// Currently no implementation for responseReceived
	}